Bulletin — August 2025

August starts with the AI Act entering application for GPAI and the US AI Action Plan published in late July; continues with the double Black Hat / DEF CON 33 week with AgentFlayer, AIxCC final and a host of AI findings; and closes with three high-magnitude advisories: CVE-2025-8088 (WinRAR) in KEV with eight groups exploiting, CVE-2025-53786 (Exchange hybrid) with emergency directive, and the joint advisory from 13 countries on Salt Typhoon. Chronological review.

AI Act GPAI in application — 2 August

2 August. Second step of Regulation (EU) 2024/1689 in application: Chapter V obligations for GPAI model providers (Arts. 53-55). Technical documentation, training data summary, copyright policy for everyone; adversarial evaluations, incident reporting and weights cybersecurity for systemic-risk models (>10^25 FLOPs).

The Code of Practice for GPAI (published by the AI Office on 10 July, endorsed via adequacy decisions on 1 August) is signed by 26 providers — OpenAI, Anthropic, Google, Microsoft, Amazon, Mistral, Aleph Alpha, Cohere, IBM, among others. Meta doesn’t sign, with a public statement from Chief Global Affairs Officer Joel Kaplan on 18 July. xAI signs only the Safety and Security chapter, not Transparency or Copyright. Chinese providers (DeepSeek included) don’t sign.

Covered in detail in the technical post with a table of obligations by article and a comparison of signatories.

Official sources: https://eur-lex.europa.eu/eli/reg/2024/1689/oj · https://code-of-practice.ai/ · https://digital-strategy.ec.europa.eu/en/policies/guidelines-gpai-providers

AI Action Plan — Trump publishes it on 23 July

23 July (full echo in August). The White House publishes Winning the Race: America’s AI Action Plan. Strategic document of the Trump administration with three pillars: Accelerating AI Innovation, Building American AI Infrastructure, Leading in International AI Diplomacy and Security. Identifies more than 90 federal actions split among the three pillars.

What’s operationally most concrete:

• Federal procurement: directive that only “unbiased” models — free of “ideological dogmas such as DEI” — be eligible for federal procurement. The phrase is the ball in play: defines “unbiased” by what authority, against what benchmark.
• Electrical infrastructure: priority to frontier energy sources (enhanced geothermal, nuclear fission, fusion).
• CHIPS Act streamlining: removal of policy requirements considered “extraneous” in CHIPS Act-funded projects.
• Standards for high-security data centres and partnerships for training programs.

The contrast with the EU AI Act is deliberate and symmetric — the US plan presents itself explicitly as a non-regulatory route, aligned with Vance’s position at the Paris AI Action Summit (February 2025). For Trust & Safety in an organisation with transatlantic presence, the regulatory calendar diverges: the EU accelerates obligations (Art. 5 in February, GPAI in August, Annex III in August 2026); the US slows federal obligations and lets states like California set the tone.

Official source: https://www.whitehouse.gov/wp-content/uploads/2025/07/Americas-AI-Action-Plan.pdf

Black Hat USA 2025 — 2-7 August

Mandalay Bay, Las Vegas. 20,000 verified attendees. AI is once again the connecting thread — second consecutive year of dedicated AI Summit.

The most notable talks from the AI security angle:

AgentFlayer (Zenity Labs) — zero-click in enterprise agents

Michael Bargury (Zenity, CTO) presents AgentFlayer: a zero-click prompt injection chain against OpenAI ChatGPT, Microsoft Copilot Studio, Salesforce Einstein, Google Gemini, Microsoft 365 Copilot, and Cursor + Jira MCP. The vector: an email with prompt injection reaches the user’s inbox, the agent reads it (the Drive / Gmail / Outlook connector that many enterprise rollouts give the model by default), and triggers an action chain — access to connected Google Drive, planting fake memories in ChatGPT that persist in future conversations, silent exfiltration.

What’s critical: zero-click. Requires no user interaction beyond having the email in the inbox and the agent activated. Bargury reports to the vendors before the talk. OpenAI and Microsoft Copilot Studio publish patches; other vendors classify it as intended behavior and don’t patch. The distinction separating “bug” from “product decision” when we talk about prompt injection remains political, not technical.

Reading for enterprise deployers: if your organisation has connected ChatGPT Enterprise / Copilot 365 / Einstein to inbox and document storage, the “attacker sends an email” threat model needs reopening. The effective control remains capability segmentation — don’t give the agent access to inbox and outbound at the same time.

Source: https://www.csoonline.com/article/4036868/black-hat-researchers-demonstrate-zero-click-prompt-injection-attacks-in-popular-ai-agents.html

Brendan Dolan-Gavitt (NYU / XBOW) — AI Agents for Offsec with Zero False Positives

Dolan-Gavitt presents the results of XBOW running autonomous pentesting agents against real web applications (HackerOne). The team reached #1 on HackerOne during Q2 2025. More than 200 real zero-days discovered in public applications, with very low false-positive rate thanks to the validation / exploit confirmation pipeline.

The paper is relevant because it’s the first solid public report on functional LLM-as-pentester at scale — no demo, no synthetic benchmark, but paid bug bounty against real targets. Precursor of what would happen later at AIxCC.

Source: https://i.blackhat.com/BH-USA-25/Presentations/US-25-Dolan-Gavitt-AI-Agents-for-Offsec-with-Zero-False-Positives-Thursday.pdf

Other Black Hat AI Summit talks

• PyTorch TorchScript code execution — the Alibaba Cloud team presents a vulnerability in PyTorch’s model loader allowing RCE bypassing safety checks. Assigned CVE. Classic supply chain vector now with the model weight as an artefact.
• AI supply chain as a cross-cutting topic: vulnerabilities in third-party model registries, in third-party model files, packaging.

General source: https://blackhat.com/us-25/ai-summit.html

DEF CON 33 — 7-10 August

Las Vegas Convention Center. 32 villages. AI Village with Generative Red Team 3 — community hackathon to produce reproducible evals of commercial models. Car Hacking Village with hard CTF (firmware unpacking + XOR crack + buffer overflow exploitation in ARM64 with randomized syscall numbers).

The main milestone: DARPA AIxCC final on Friday the 8th — Team Atlanta wins with ATLANTIS, 18 real zero-days found among the seven finalist CRSs. Covered in the extra post with detail on architecture, costs ($152 per challenge task), and mandatory open-sourcing of post-final CRSs.

Sources: https://aivillage.org/events/defcon33/ · https://www.darpa.mil/news/2025/aixcc-results

WinRAR CVE-2025-8088 — eight groups exploiting

18 July (operational echo in August). ESET observes zero-day exploitation of CVE-2025-8088 — path traversal in WinRAR Windows. Vector: malicious .rar archive using Alternate Data Streams to write payload to a directory different from the one the user chose when extracting. The chain typically leads to persistence in %STARTUP% with the actor’s malware.

Timeline:

• 18 Jul: ESET observes spearphishing campaign against finance, manufacturing, defence and logistics, attributed to UNC4895 / RomCom.
• 20 Jul: ESET reports to RARLAB.
• 24 Jul: patch available.
• 30 Jul: WinRAR 7.13 public with the fix.
• 12 Aug: CISA adds CVE-2025-8088 to KEV with federal remediation deadline 2 September.

By the KEV date, at least eight distinct groups had weaponised the vuln: UNC4895/RomCom, APT44/Sandworm, TEMP.Armageddon/Gamaredon, Turla, Paper Werewolf, unattributed china-linked actors, and various financially motivated operators. Typical adoption speed when there’s a public PoC + operational window of 12 days between disclosure and public patch in use.

Repeated operational lesson: WinRAR remains ubiquitous on enterprise desktops (GPO deployment, not update manager). Patching coverage is manual. The path traversal + ADS vector combines two primitives already in the literature — the novelty is the concrete use against WinRAR specifically. Any file extractor touching NTFS ADS remains a surface.

Sources: https://nvd.nist.gov/vuln/detail/CVE-2025-8088 · https://www.cisa.gov/news-events/alerts/2025/08/12/cisa-adds-three-known-exploited-vulnerabilities-catalog

NVIDIA Triton — chain CVE-2025-23319/23320/23334 to AI server takeover

August 2025. Wiz Research publishes a chain of three CVEs in NVIDIA Triton Inference Server (the most widely used inference server in enterprise production for classic ML + LLMs) that combined give full pre-auth RCE:

• CVE-2025-23319 — the attacker obtains the unique name of an internal shared memory region by sending a crafted request to the Python backend endpoint.
• CVE-2025-23320 — with that name, read/write in the shared memory region.
• CVE-2025-23334 — with read/write, corrupts internal structures and triggers code execution.

The patch arrives in Triton 25.07. The chain attacks the Python backend specifically — the backend used to serve any Python model (PyTorch, TensorFlow, custom). Hosts affected: any Triton deployment exposed to the network without a reverse proxy with prior auth, which remains the default pattern in greenfield deployments. Wiz doesn’t publish a figure for exposed instances, but the Shodan footprint is tens of thousands.

It’s the year’s second major inference server chain after Ollama Probllama CVE-2024-37032 in 2024 and precedes vLLM CVE-2026-22778 in February 2026. The pattern is the same: inference server = HTTP server with complex state, no auth by default, exposed at the model’s perimeter.

Source: https://www.wiz.io/blog/nvidia-triton-cve-2025-23319-vuln-chain-to-ai-server · https://thehackernews.com/2025/08/nvidia-triton-bugs-let-unauthenticated.html

Microsoft Patch Tuesday 12 Aug — 107 vulns, 1 zero-day

12 August. Microsoft publishes patches for 107 CVEs, including 1 public zero-day (not exploited in the wild at the time) and 13 critical. The relevant ones:

CVE-2025-53779 — Kerberos privilege escalation (BadSuccessor)

Privilege escalation in Windows Kerberos via relative path traversal on dMSA (delegated Managed Service Account) objects. Allows an attacker with sufficient AD privileges to compromise the entire domain by abusing service delegation. Previous public disclosure with the name BadSuccessor. CVSS 7.2. Microsoft catalogues it Important but the exploitation mechanic is direct when the attacker has foothold in an account with Create permissions on OUs containing dMSAs.

CVE-2025-50165 — Windows Graphics Component RCE

CVSS 9.8. Critical RCE in the Windows graphics component. No public details at Patch Tuesday close on the exact vector; Microsoft catalogues it Exploitation More Likely. Combined with CVE-2025-53766 (GDI+ RCE, also 9.8), the attack surface of Windows Graphics has two critical CVEs in the same month.

CVE-2025-53778 — NTLM elevation of privilege

CVSS 8.8. Allows an authenticated attacker with low privileges to escalate to system. Usual pattern in NTLM — Microsoft has published several similar CVEs during 2024-2025 as it deprecates the protocol.

Sources: https://www.tenable.com/blog/microsofts-august-2025-patch-tuesday-addresses-107-cves-cve-2025-53779 · https://www.bleepingcomputer.com/news/microsoft/microsoft-august-2025-patch-tuesday-fixes-one-zero-day-107-flaws/

CISA Emergency Directive 25-02 — Exchange hybrid CVE-2025-53786

7 August. CISA publishes ED 25-02, the year’s first emergency directive forcing short-deadline mitigation on federal agencies. Target: CVE-2025-53786, post-authentication vulnerability in Microsoft Exchange Server hybrid deployments. Allows an attacker with administrative access to on-prem Exchange to escalate privileges and attack the cloud environment connected via hybrid trust.

CISA reports no in-the-wild exploitation activity as of the directive date; the urgency is preventive, based on potential blast radius (access from on-prem to the organisation’s full cloud tenant). Mitigation deadline: 9:00 AM EDT on 11 August — 4 days from the directive’s publication.

Required actions for FCEB:

• Disconnect Exchange servers not eligible for the April 2025 hotfixes (including end-of-life Exchange servers identified by Microsoft’s Health Checker script).
• Install the latest cumulative update and apply April 2025 hotfix updates on eligible servers.

CISA recommends the same to non-federal organisations. Microsoft publishes parallel guidance.

Source: https://www.cisa.gov/news-events/alerts/2025/08/07/cisa-issues-ed-25-02-mitigate-microsoft-exchange-vulnerability

SonicWall SSL VPN — Akira ransomware with CVE-2024-40766

15 July onwards (campaign active during August). Akira ransomware launches a campaign against SonicWall SSL VPN devices. Initial suspicion of zero-day due to exploitation speed + patched targets. SonicWall publishes advisory on 4 August linking the activity to CVE-2024-40766 (already-known vulnerability from the previous year, fix available). Huntress detects some 20 incidents in the first wave.

Post-access pattern: abuse of privileged accounts, persistence with network backdoor, credential theft, disabling defences (Volume Shadow Copies deleted) and Akira deployment. MFA on SSL VPN didn’t stop all cases — some involved secondary credentials of service accounts.

Reading: it wasn’t zero-day, but the operational behaviour looks like zero-day because there’s significant time between disclosure (2024) and real patch hygiene on SMB desks that depend on SonicWall as full perimeter. Akira exploits the window.

Source: https://thehackernews.com/2025/08/akira-ransomware-exploits-sonicwall.html

CISA Salt Typhoon advisory — 27 August

27 August. CISA + NSA + FBI + authorities from 12 additional countries publish joint advisory AA25-239A: Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System. Identifies sustained activity by PRC-state actors against telcos, government, transport, hospitality and military networks at global scale. Overlap with Salt Typhoon, OPERATOR PANDA, RedMike, UNC5807, GhostEmperor.

Consolidated pattern:

• Targeting of backbone routers and provider/customer edge routers in telcos.
• Modification of router firmware/configuration for long-term persistence.
• Access to telecom data (call metadata, in some cases content) that allows identifying and tracking targets of interest at international scale.

The advisory consolidates a long year of sector findings (Salt Typhoon against US telcos detected in September 2024, expansion to UK, Canada, Australia, Italy, NZ, during 2024-2025) into an international cooperative framework. The ask of telco operators: specific hardening of backbone routers, segmentation of management planes, MFA on management interfaces, audit of configuration changes.

Source: https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a

Rest of the month

• Apple Patch Tuesday August — iOS / macOS / iPadOS with various fixes; no in-the-wild zero-day reported at month-close.
• Google Chrome 138 / 139 — multiple V8 and render fixes. No in-the-wild exploitation during August.
• OpenAI publishes GPT-5 on 7 August. Flagship model that replaces GPT-4o as default in ChatGPT; native multimodal, integrated reasoning (not as a separate mode). Version GPT-5 Thinking for visible chain-of-thought. Possible security write-ups to publish in September as the model stabilises.
• Anthropic publishes Claude Opus 4.1 on 5 August. Incremental update over Claude 4 with improvements on agentic benchmarks. No major Responsible Scaling Policy update; the SSF for Claude Opus 4 is maintained.
• Industrial control systems — CISA publishes several ICS advisories during the month for industrial vendors (Siemens, Rockwell, others). No associated media incidents.

Pattern of the month

August crystallises two things the calendar had been marking.

One: AI security moves from “emerging category at conferences” to “category with reproducible metrics”. AgentFlayer (zero-click confirmed on six commercial platforms) and AIxCC (18 real zero-days found at $152 each) stop being “interesting research” and become operational data. The question for defenders is no longer whether agents are an attack surface, it’s how to segment capabilities of the connected agent and what visibility the SOC has over the agent’s tool calls. For the modern SOC, the agent’s tool-call log matters as much as the activity log of a human endpoint.

Two: the AI Act regulatory calendar is no longer a promise. GPAI in application, 26 CoP signatories, Meta out, first real test of the adequacy decision as a vehicle for presumption of conformity. September and October will bring the first formal FLOPs notifications to the AI Office from providers exceeding the threshold during the training calendar of the next generation. And as the AI Office publishes more concrete guidelines on serious incident reporting and cybersecurity of weights, providers will have to show real policy, not general statements.

September starts with OpenAI and Anthropic settling their August releases, several research events on post-final AIxCC, and the Apple iPhone 17 launch (expected mid-month) with its annual batch of iOS CVEs.